Facebook: Yeah, we hoovered up 1.5 million email address books without permission. But it was an accident! Facebook has admitted to harvesting email contacts from 1.5 million people without permission. Since May 2016, Facebook collected all email contacts when some new users signed up to the antisocial network. An anonymous security researcher, who sports the handle e-sushi on Twitter, first noticed that the company was asking …
Sure, the email slurping code was there by mistake - it wrote itself - and they were asking for a password they didn't need just because - what was wrong with the usual confirmation link?
What is still needed to slap a ginormous fee on the "social engineering network"?
Oh please. In a culture of "our product is peoples' activities", surely someone just decided to do a little research project without bothering to get permission. After all, the users clicked through the EULA didn't they?
Wasn't proven that that they have been doing this for ages on phones, of EVERY user of ANY Facebook family app, not just facebook.
Bridge etc anyone thinks it's only 1.5M or an accident.
Fines work out at cents per user. Should be an additional $100 / £100 / €100 per user on top of the fine, paid to users. Home Office, Microsoft (inc LinkedIn pressure), Google, Facebook, etc.
Wasn't proven that that they have been doing this for ages on phones, of EVERY user of ANY Facebook family app, not just facebook.
Yes. WhatsApp sucks all phone contacts. Needless to say I'm not pleased as I have no control if someone who has my details installs an app like that and my details are sucked in.
I recently installed WhatsApp on a phone that I use for business and I was shocked when the first thing it did after installation was to slurp through my phone contacts and cross-match my contacts with other WhatsApp users. This was done without my permission, of course (as I would have deleted all contacts if I had known).
> What is still needed to slap a ginormous fee on the "social engineering network"?
They haven't completed their standard sequence of voluntary disclosures:
Thursday: 1.5 Million email addresses.
Following Monday: Umm, scratch that. It was more like 10 Million.
Tuesday: Well, it was somewhere between 100 Million and 400 Million.
Thursday: OK, it was 1 Billion, give or take a few.
Totally by accident. Mistake. Never meant to do that. Who knew?
To be followed by a Zuckerfuck interview blitz on CNN, NBC, MSNBC, explaining how they are striving to do better and how he is personally introspecting over this.
What is still needed to slap a ginormous fee on the "social engineering network"?
That probably won't change a thing. Now take Zuck and associates out behind the barn and whack them repeatedly with a large chunk of wood might work.
"...and they were asking for a password they didn't need just because..."
I'm still trying to figure out how an email password would validate anything (aside, of course, from the right to access the email account).
Then there's the whole "NEVER give out your password!(!)" thing...
Would they have to be *real* contacts?
Obviously it wouldn't be appropriate to suggest that end users (or others authorised) pollute their own contacts list with what might be called "fake contacts".
Think along similar lines to the TrackMeNot browser addon, except ideally there'd be a reward for messing with Facebook's slurped info.
Anybody want to crowdfund someone (not me!) for that?
Previously mooted alternatives, like blocking app access to contact lists, don't seem to have got very far, perhaps partly because the crinimals are in charge at the moment.
[nb this might be technically trickier than it sounds, I dunno. But these people have made it very clear that neither legality nor morality matters to them, only the great god Mammon, so why should the rest of us give a feck?]
What's trackmenot:
https://cs.nyu.edu/trackmenot/
How about $100 per contact ? - seems fair...
$500 + a baseball bat/contact.
$50 goes to the person who gave over their email address allowing the slurping of the contacts.
$450 and the bat goes to each of the contacts.
I'll leave it up to your imagination as to what to do with said bat.
The number looks low - 1.5M new accounts in three years? - but it looks it happened only for people using specific mail systems (Business Insider lists Yandex and GMX), maybe those Facebook had no other way to slurp the data from. While this can justify the low number, it could also be a evidence it was deliberately included to access those data explicitly.
I'm getting hacked off with this cycle of fining companies for wrongdoing.
It ends up as being a tax collected by the Govt, which then has a vested interest in allowing said companies to carry on being naughty.
I think it should be law that the fine is divvied up and shared equally amongst the people affected - in this case the users.
I think it should be law that the fine is divvied up and shared equally amongst the people affected - in this case the users.
It should also be law that the fines hurt the execs deeply and personally. What's a $100,000 fine if the practice earns you $10.000/day?
Find the poorest family in each exec's state and do a house-swap for a year. Divvy up their income (above basic living costs) amongst the victims for the next 10 years. Add another 5 years for every year they managed to delay it through the courts (and throw their lawyers into the mix as well).
Make it absolutely NOT worth abusing people like this.
Can someone please explain how this can considered as being outsid eof the normal definition of theft and/or fraud ?
What purpose do laws serve when bastards like this go about their business in complete impunity. Fining these shitheads serves no purpose other than to make small adjustments in a year end statement.
Seriously when will we start throwing them in jail ?
Theft - Permanently depriving someone of something or devaluing something
Fraud - Intentional misrepresentation for gain
Those are basically the UK definitions, other jurisdictions may vary.
IANAL, Hopefully someone who is will be along shortly to correct me.
Fraud. If the data didnt have value, Facebook wouldn't want it. And there was deception involved as people thought they were authenticating themselves, not providing Facebook with their intellectual property. Hell, a ex-Intel engineer is being sued by Intel for among other things taking employee contact information with him when he left for Micron:
https://www.theregister.co.uk/2018/11/29/intel_3d_xpoint_complaint/
Fraud. If the data didnt have value, Facebook wouldn't want it. And there was deception involved as people thought they were authenticating themselves, not providing Facebook with their intellectual property.
Not intellectual property. Personal information of other parties who most likely did not consent to Facebook having their information.
Theft also includes 'to obtain pecuniary advantage' ie you take an item but do not intend to keep it, you do however intend to make use of possessing it to make money. Like taking items of value and then using them as collateral for a loan. You then return the items and do a runner with the loan money.
Business leaders, nebulous forms of investment etc. A normal person nicks a few grand, even under duress, then they're banged up without further ado. A very rich influential person is directly involved with impropriety potentially involving billions? A misunderstanding, a gaffe, they were otherwise Doing Good Works, etc. Give them a tax break instead.
from giving your email address to a 3rd party ?
(I know they do, I have done a LOT of reading on this).
So any user that happily types their password into Facebook loses all protection ? No, it may not be fair, or nice, but the bottom line is NEVER GIVE A THIRD PARTY YOUR LOGIN CREDENTIALS.
(Incidentally, for all the sniffiness about SMS 2FA, accounts so protected would have been safe from Facebooks prying eyes).
Note also this applies to companies that "require" you to give them your Facebook/Twitter/MySpace login details.
Note also this applies to companies that "require" you to give them your Facebook/Twitter/MySpace login details.
"Sorry, I don't have those accounts." isn't taken seriously by many companies any more. I find that to get them to take it seriously, bring up "security best practices and the HR droid goes quiet. I find the look on their face is the same one you get from a marketing droid if they ask about your "social" use of the web.
Why wouldn't it apply? They collected email addresses without any consent between May 2018 and last month, that falls right within GDPR. And I don't think that's their first offense now, so that could justify slapping them with a fine on the high end of the range (up to 4% annual turnover)
It should apply, but the GDPR enforcement people don't seem to actually be doing anything. One fine against Google for not all that much, and a few minor actions against minor companies. Haven't they had long enough to start investigating these places? How long do they need to do this?
You sure? I know there's a self explanatory expectation with regards to privacy and DE and NL, but times they are a changing...
As you can see in this Heise article today, Seehofer is trying to bring government snooping, hacking, Trojan use, and node (FRA) surveillance up to NSA levels.
As for NL, this stopped at the moment government there for example introduced RIPE and node monitoring (and FW to "friendlies"), ordered all telcos to cooperate unconditionally, its lawinforcement has the highest count of phone tapping in the western world, labelled all its citizens with an unique identity number, and discourages all cash transactions actively. On top of that the Dutch government doesn't "bend" this just for "state biz" but also likes to facilitate to make a nice buck (in line with Dutch culture): guess why Google loves their shiny new (state sponsored) Groningen center?
So you were saying..?
They will need some more time as they like to be very certain (no company ever won an appeal yet and they would like to keep it that way). And the fine will be over the revenue at the time of fining, not at the time the "accident" happened. With most companies that just means a higher fine, so again no problem for them (only for those companies, but that is their problem).
Some explanations here:
https://www.theregister.co.uk/2019/03/14/more_than_200000_gdpr_cases_in_the_first_year_55m_in_fines/
Basically, they are still processing legacy (pre-GDPR) cases, and they also need to harmonize the amounts of fines between countries.
Big cases will always take time anyway, you can't build a file against a tech giant like Facebook and its army of lawyers in 3 weeks.
"It should apply, but the GDPR enforcement people don't seem to actually be doing anything. One fine against Google for not all that much, and a few minor actions against minor companies. Haven't they had long enough to start investigating these places? How long do they need to do this?"
I suspect the higher end of the fine range is being reserved for when intent can be proven. You don't transport someone to Australia for stealing a loaf of bread these days.
They might even do so, in an unusual fit of honesty; but what they will not do is to delete the social graph/connections that they have learned as a result - this is what I would like to see deleted.
Maybe punishment should be that Zuckerberg's address book should be made public, see how he likes that. Although that would be unfair on those who are exposed as talking to him.
I went through a phase of creating fake e-mail addresses in my address lists. They were usually something like aardvark@neverhurtanyone.com (not an actual example). This way, if someone compromised one of my e-mail accounts, I should get a bounce from the first dodgy e-mail sent out. (I assumed, of course, that programmers were simple souls who would go through a list alphabetically).
L1nk3dIn asked me if I wanted to add aardvark into my contacts list (or whatever they call it).
Now, I'm not accusing anybody of anything, but I was on the "social network for suits" way before they were acquired by that bunch in Seattle, and it didn't use to have this feature. I was with my last company for 22 years. In that time it had four different owners and five different names (it has a sixth name now but I am no longer there). All of these incarnations used Outlook. The old e-mail servers were usually kept going for about three months after a name-change to hoover up incoming messages from people unaware of the new e-mail address. The week after the old server was decommissioned I would get an invitation to befriend about 4 to 6 people from my old address book. They seemed to be randomly chosen, except they were always people I had not recently communicated with and they were always on a different e-mail system/domain.
Although one was an aardvark.
Edited to add that I never offered any e-mail lists to anybody.
That's a weird post to give a thumb down to!
It's all 100% true and you can contact my friend aardvark to confirm.
Although he is not replying to e-mails from me any more, I wonder if I have offended him in some way?
When I originally spotted this unusual behaviour, I assumed the other parties must have opened their address lists up to L*******. This was perhaps rather naive, but the number of invitations was low. Only the (assumed) non-existance of the neverhurtanyone.com domain alerted me to the actual source of the addresses.
I also never re-used the fake addresses anywhere else.
I saw L1nk3dIn asking me for my password as well. But that happened even before it was acquired by that bunch in Seattle.
I didn't give my permission, but actually it would have made no difference, when I joined the "social network for suits" I created a new email box and I used it only as the backend for L1nk3dIn, I never mixed it with the other addresses, this should be a standard practice with all the social networks.
Utter, utter BS! There is no way Facebook could accidentally scrape and upload contacts, to develop something that could log into a webmail account and go through the contacts and then send them to Facebook would take quite a lot of development work and simply could not happen by accident. It's like building a house without planning permission and telling the council you just bought some brick and dumped them on your land, but they just so happened to fall in such a way that they landed in the shape of a house.
Please tell me they won't get away with pretending it was an accident??
That's before you even look at them acutally asking for your password, WTF?? That creepy little android c#nt Zuckerberg needs to learn some respect.
re house building
A few years back, in the UK, a guy "accidentally" built without planning permission a quite substantial house inside a barn to hide it from public view in the hope that eventually, after 4 years i think without complaint, it would be deemed a valid house and he could then demolish the barn around it.
Last i read, the authorities demanded it be demolished.
I've been telling people about this for years - once our address books are out in the open, then we're going to start seeing robocalls with spoofed caller ID which uses the numbers of people we know and expect to hear from.
The shitstorm has already begun.
It's been their overt strategy since the beginning. They have been sowing the wind with deceptive and predatory behavior since the beginning. Their cavalier disregard for legal business and social norms isn't a mistake, and it isn't cute.
Don't use a weasel word like "screw-up" that helps re-enforce their false narrative that these things are anything accidental. They have worked hard to ensure that the whole process is a catch-22. When they rolled out mass facial recognition, the only way was to opt-out was by creating an account and agreeing to their terms of service. In the process they would suck all of your contacts out of your phone, your email accounts, and your address book the moment you signed in, BEFORE you could get to the opt out screen.
If you did opt out, they never removed the data they had already stolen. That's deliberate strategy, going on over years, exploiting weak oversight that they spent millions trying to influence to keep regulators off their back.
They have given you every justification to take the gloves off and unload on them. If any modern organization deserves to reap the whirlwind, it's Facebitch and it's Bitch in chief. This should be a steak dinner for you guys, sharpen your teeth and dig it!
They have given you every justification to take the gloves off and unload on them. If any modern organization deserves to reap the whirlwind, it's Facebitch and it's Bitch in chief. This should be a steak dinner for you guys, sharpen your teeth and dig it!
They won't stop until there's probably a revolution involving mass burning of data centers and senior management (and stockholders) hung from telephone poles. Even then, there will be someone or something stepping in after words to start again.
PT Barnum reckoned there was one sucker born every minute, Faecebook for the last three years seems to have been getting about thirty every minute.
What I would like to know is where and how does the Zuck find so many so easily?
I have an extensive portfolio of bridges and a Trainload of snake oil to sell.
Faecebook's behaviour with regard to it's (l)users, is comparable to Zuck handing everyone a tube of KY and asking them to turn around and drop their drawers.
How many more times do we have to read that Facebook have been caught harvesting data they are not entitled to, apologise for, then get found out doing something very similar again?
Surely there most be some entity with the teeth and balls to bitch slap Zuckerberg into compliance?
Does anybody believe that the number of users whose address book has been 'mistakenly' uploaded in just 1.5 million?
Does anybody believe that they'll really delete the data together with the derived phantom profiles (people who never joined FB but about whom FB knows a lot).
E.g. sites which have a web thingy ("web bug"????) linking to Facebook (and/or Twitty, and/or other antisocial networks) on every web page on theregister.co.uk ?
If so, why are they still there?
Does their continued presence make those sites which are displaying them part of the problem rather than part of the solution?
What would it take for those things to vanish?
is the bit at the end
"The ad giant made revenues of over $55.8bn in 2018, up 37 per cent from $40.6bn in 2017. It had 1.52 billion daily active users, up 9 per cent on the year before."
After all the bad publicity showing what the company is really like, they still increased their user base by 9% in a year.
"Last month it emerged that top management knew about Cambridge Analytica's shenanigans at least four months before the story hit the news. Facebook previously claimed, and testified in court, that it was completely unaware until alerted by the media."
Sounds to me like there should be some perjury trials and jail time incoming then.
You all think this is a problem, it's not. It's a solution. With all these people making better passwords, how else do you think we will get effective cracking list to hack Terry Wrist and his buddies accounts. This is progress, you just aren't supposed to know about it.
Now go back to work, pay your taxes and turn in your weapons.
Thank you,
Government man.
It could happen accidentally, I suppose. Hypothetically, let's say there was some code that was intended to slurp, say, only with the user's explicit permission. And then some programmeridiot "accidentally reused" it, either copy-pasting way too much or inheriting or just calling some higher level function...
Not that I believe for a second that this is what happened, mind you.
But then, a habit of checking stuff and thinking what it does isn't something one would expect from anyone applying for a job at FB nowadays, is it?
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
